Malware Analysis Report

2025-03-15 06:01

Sample ID 240512-a2tg8sgc61
Target 2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia
SHA256 c5a78e1a26d1abe23e3fcf598b01f2c325fd285cf55b9b1456c74953e162ce2a
Tags
gh0strat rat vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5a78e1a26d1abe23e3fcf598b01f2c325fd285cf55b9b1456c74953e162ce2a

Threat Level: Known bad

The file 2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia was found to be: Known bad.

Malicious Activity Summary

gh0strat rat vmprotect

Gh0strat

Gh0st RAT payload

Detects executables packed with VMProtect.

Loads dropped DLL

VMProtect packed file

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 00:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 00:42

Reported

2024-05-12 00:45

Platform

win7-20240221-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\G: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\H: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\J: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\M: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\Q: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\W: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\E: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\I: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\N: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\V: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\Z: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\X: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\K: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\O: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\P: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\S: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\T: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\U: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\B: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\L: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\R: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe"

C:\Users\Public\IEYunioBox\IEYunioBox.exe

"C:\Users\Public\IEYunioBox\IEYunioBox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aqdl6w.ph.files.1drv.com udp
US 13.107.42.12:443 aqdl6w.ph.files.1drv.com tcp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 book2.cookielive.top udp
HK 38.45.124.69:1688 book2.cookielive.top tcp
HK 103.235.46.40:443 www.baidu.com tcp
N/A 10.127.0.138:4820 tcp
US 8.8.8.8:53 a.ayousb.com udp
HK 103.127.83.35:4820 a.ayousb.com tcp

Files

\Users\Public\IEYunioBox\IEYunioBox.exe

MD5 6e2ab372b7aa0ee2b2b41b642a380201
SHA1 4370faef1f91993ff0027c91b28c8ef02fc63ac7
SHA256 0cea224426ffc805373f28f4e92c7856bcd1c35202561e983dc78d358b0a5e2d
SHA512 9b74c278f1e33c09c97f4811299466809ac41b86737630ddcb22943c97ffb3b37c48101cd529e833fb3485dd1c6dcf71f661a8ee0e77dae39e7bc4d16b3c2148

memory/2728-23-0x0000000000400000-0x0000000000DDD000-memory.dmp

C:\Users\Public\IEYunioBox\curl.ext.dll

MD5 3388c0354f6fc015c6a30df10dfb72de
SHA1 760c96ecabd90e6b0b727c9b155f3a29a3ea5cd6
SHA256 76f3513bbea93c24efcf9ffd7eae906b6a262e3c96a34f5087e39987eb3dc559
SHA512 d0eb1f3e2130d6097cf0a6c85dc0c4dedfecc0e65525d1b5140f4d9670c674ac6e94859c28bdbf508012940865d22b0e35af705c2669fb5bc05842edc86bb3ee

C:\Users\Public\IEYunioBox\DumpLib.dll

MD5 b6ecc078a0e288748f33ed4007758eb1
SHA1 8a0b61f63664e2b4849733447ee5224ffb4ba875
SHA256 3398bf14d61c9d7d2704ef1551efc907ab53ed4ef1523c55816574db4692d5e8
SHA512 815e4d1e61762b0cd42c39de949b64c24cb79cae9bcb5ec9205039a9b989276b158ec581897dc9704e85b67002bd8a6098cd8cfcefd8423b4b893d0d3812e9e6

\Users\Public\IEYunioBox\AssnFightNet.dll

MD5 a67d7f13a847e69e48f1f11beb74d425
SHA1 84bf8400bfcb7acf73cc8ec55104c1add9b415c0
SHA256 5dfdc20e2c67de0b550599f5e93ee0d547d4cb889ea0b2267dce2b7eb08536d1
SHA512 e391ce132248545c20fae8e539052612d762061f7170bd1741508221741c55aae395b56caa13b1948439ce3f562feaaaf6f171775653603b03fe22dd0c27221a

memory/2728-31-0x0000000000230000-0x0000000000319000-memory.dmp

memory/2728-28-0x00000000746A0000-0x00000000748E2000-memory.dmp

\Users\Public\IEYunioBox\XLLuaRuntime.dll

MD5 b44b02bc83831fd07f2d28b796fc49ec
SHA1 ed9914f9362b323b197f92a4fee9946c34b80d44
SHA256 150eb65bc447971d15f533a256bdfb075961908be629ce92ce6c8370905653ff
SHA512 e8364a08554119001141c245dcb3f1770afba442a0d50c7e448774cade0854df35aeed642c3aac92e3746b181f493e25aeb880bbfaa50716c17009e746db90ea

memory/2728-33-0x00000000026F0000-0x0000000002745000-memory.dmp

C:\Users\Public\IEYunioBox\libcurl.dll

MD5 e8319c3c86be7fed599327578849b140
SHA1 e0654dfaf44d2b96f37c62f6cc316247d9d6b28a
SHA256 19d9f4613bcc6793cf209f09a1c8b72ac6ce6f1c0af75081f8b357d157971a5a
SHA512 1fd299e9601b2287650800611f6d95dfe1d88f8b441e2b7244a851685f5a74173c23c2558a50e9e7e9d6b0249b53e83e4ac9dbf0c1fe1d356fdfb67cfe056127

C:\Users\Public\IEYunioBox\LIBEAY32.dll

MD5 2c74bd6ad79127ecfcfacd7e58d3655f
SHA1 ea0f46f4c95fdf59985d0cea2abbc5fb04ea00e2
SHA256 6990521aac3227e5970db05213b0fdbbb174eb5c1788cb7b033cd4043ba45644
SHA512 b8b72d103cac0847e7308ad1a6967b7922e4185e3455975b84d8c07fee1197ffa029d977364cdabdbd7151617af583c0f10019fe459af426999cccf15cb5a1ae

\Users\Public\IEYunioBox\ssleay32.dll

MD5 9f3fb0fff13d3c141873d4823de5d268
SHA1 c5a016155aff9cd8cf0880e3060e3dcacf016ddc
SHA256 6957303f95a67754885fb1301d9064c708d675dac0ed454886f5ed4c82be77d6
SHA512 98a8114ef6a4eab29d1389508d17486ae605b92ca468c5feaf42c5357edafdba6d8003290bc9084dd0ab51793cff6eaccb9685f3d5aefb4ed1e4bfc07765d1a6

\Users\Public\IEYunioBox\zlib1.dll

MD5 6791dcad6284684082033063c2cd7e72
SHA1 4fd11e7eb298d2cb18d1f8e74536e4a58c1cd0b7
SHA256 202af400d7840830bc7182cf31d4f54ddd0023ed109c5f810495293aec9197ce
SHA512 79a5b58cbaea1c6004b5075e2df9b284ca9a32627da677078a896a659c34c65204bf43f70aeb4ef05601573c4b4190113c550e1ae1c3c0489cca73a621a67bd3

memory/2728-42-0x0000000000F70000-0x0000000000F82000-memory.dmp

memory/2728-43-0x00000000746A0000-0x00000000748E2000-memory.dmp

memory/2728-45-0x0000000000230000-0x0000000000319000-memory.dmp

memory/2728-48-0x0000000000400000-0x0000000000DDD000-memory.dmp

C:\Users\Public\IEYunioBox\poqexec.log

MD5 bddeb003252646b091b0e39a3250a238
SHA1 b95ce3f576fe9feecba8cf0cff5a692bb11f1566
SHA256 8b54c3fed46a2ff3eb5356a54fb361d4601a465a46044330d542c8418cba4d02
SHA512 ef092c724f47f756f4b1ebdad6103a8e5b268042501793f61d6a6c1ff46bde9fc90d4ed758451888e6614d96d8dcef2f858865fd2f840e470d94304fdedefdc4

memory/2728-50-0x00000000032B0000-0x0000000003346000-memory.dmp

C:\Users\Public\IEYunioBox\task.dat

MD5 773f06fc4ba1a140a9b4ad2985a4de0c
SHA1 f9c46bc32bab3f501b113f6f5a0d286243aa9796
SHA256 67de6e9fedd0ff80e05f52ee2d2540e5f0d9461a6d1a171f1ba9b97ba6b695bc
SHA512 c2bc9cb8940e0bfc4d344ea387400c79bb502697955a1f8c27f6618cf294283d1bb9f895e9c8e2b7dae20d8d46821b55e95d65a59060853be77c84b06480d5df

memory/2728-57-0x0000000003350000-0x00000000033CB000-memory.dmp

C:\Users\Public\IEYunioBox\IEYunioBox.dat

MD5 188b4929590e2c69088b7522e480dce7
SHA1 ab9b186eaf3b50840c3bc269dd1d611c055f16b3
SHA256 2bc78d8fae7e776ef60779f8546126f9bce6aa0d7016d32000725cc4ea31e4cf
SHA512 af13c22cad62f981629c95b1ccfd1fce4bd28fbc05f97c22891fb5f547981270e791e61a6406b4164adee5fdd4b7354a13b2415c25f5f94f6febcd59ab2b89f3

memory/2728-74-0x000000006B240000-0x000000006B2A8000-memory.dmp

memory/2728-73-0x00000000026F0000-0x0000000002745000-memory.dmp

memory/2728-75-0x0000000063000000-0x00000000631A9000-memory.dmp

memory/2728-76-0x000000006E400000-0x000000006E461000-memory.dmp

memory/2728-81-0x0000000000400000-0x0000000000DDD000-memory.dmp

memory/2728-82-0x00000000746A0000-0x00000000748E2000-memory.dmp

memory/2728-83-0x0000000000230000-0x0000000000319000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 00:42

Reported

2024-05-12 00:45

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\Y: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\G: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\J: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\R: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\V: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\K: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\T: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\W: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\B: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\E: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\H: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\I: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\Z: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\L: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\M: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\P: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\Q: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\N: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\O: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\S: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
File opened (read-only) \??\U: C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A
N/A N/A C:\Users\Public\IEYunioBox\IEYunioBox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-12_2ecbdd1a3b33b674f621ce440f9c18d3_mafia.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Public\IEYunioBox\IEYunioBox.exe

"C:\Users\Public\IEYunioBox\IEYunioBox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 aqdl6w.ph.files.1drv.com udp
US 13.107.42.12:443 aqdl6w.ph.files.1drv.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 book2.cookielive.top udp
US 8.8.8.8:53 www.baidu.com udp
HK 38.45.124.69:1688 book2.cookielive.top tcp
HK 103.235.46.40:443 www.baidu.com tcp
US 8.8.8.8:53 69.124.45.38.in-addr.arpa udp
US 8.8.8.8:53 40.46.235.103.in-addr.arpa udp
N/A 10.127.0.95:4820 tcp
US 8.8.8.8:53 a.ayousb.com udp
HK 103.127.83.35:4820 a.ayousb.com tcp
US 8.8.8.8:53 35.83.127.103.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

C:\Users\Public\IEYunioBox\IEYunioBox.exe

MD5 6e2ab372b7aa0ee2b2b41b642a380201
SHA1 4370faef1f91993ff0027c91b28c8ef02fc63ac7
SHA256 0cea224426ffc805373f28f4e92c7856bcd1c35202561e983dc78d358b0a5e2d
SHA512 9b74c278f1e33c09c97f4811299466809ac41b86737630ddcb22943c97ffb3b37c48101cd529e833fb3485dd1c6dcf71f661a8ee0e77dae39e7bc4d16b3c2148

C:\Users\Public\IEYunioBox\curl.ext.dll

MD5 3388c0354f6fc015c6a30df10dfb72de
SHA1 760c96ecabd90e6b0b727c9b155f3a29a3ea5cd6
SHA256 76f3513bbea93c24efcf9ffd7eae906b6a262e3c96a34f5087e39987eb3dc559
SHA512 d0eb1f3e2130d6097cf0a6c85dc0c4dedfecc0e65525d1b5140f4d9670c674ac6e94859c28bdbf508012940865d22b0e35af705c2669fb5bc05842edc86bb3ee

C:\Users\Public\IEYunioBox\DumpLib.dll

MD5 b6ecc078a0e288748f33ed4007758eb1
SHA1 8a0b61f63664e2b4849733447ee5224ffb4ba875
SHA256 3398bf14d61c9d7d2704ef1551efc907ab53ed4ef1523c55816574db4692d5e8
SHA512 815e4d1e61762b0cd42c39de949b64c24cb79cae9bcb5ec9205039a9b989276b158ec581897dc9704e85b67002bd8a6098cd8cfcefd8423b4b893d0d3812e9e6

memory/4184-32-0x0000000000400000-0x0000000000DDD000-memory.dmp

memory/4184-36-0x00000000013C0000-0x00000000014A9000-memory.dmp

memory/4184-35-0x0000000073960000-0x0000000073BA2000-memory.dmp

C:\Users\Public\IEYunioBox\AssnFightNet.dll

MD5 a67d7f13a847e69e48f1f11beb74d425
SHA1 84bf8400bfcb7acf73cc8ec55104c1add9b415c0
SHA256 5dfdc20e2c67de0b550599f5e93ee0d547d4cb889ea0b2267dce2b7eb08536d1
SHA512 e391ce132248545c20fae8e539052612d762061f7170bd1741508221741c55aae395b56caa13b1948439ce3f562feaaaf6f171775653603b03fe22dd0c27221a

C:\Users\Public\IEYunioBox\XLLuaRuntime.dll

MD5 b44b02bc83831fd07f2d28b796fc49ec
SHA1 ed9914f9362b323b197f92a4fee9946c34b80d44
SHA256 150eb65bc447971d15f533a256bdfb075961908be629ce92ce6c8370905653ff
SHA512 e8364a08554119001141c245dcb3f1770afba442a0d50c7e448774cade0854df35aeed642c3aac92e3746b181f493e25aeb880bbfaa50716c17009e746db90ea

memory/4184-51-0x0000000002C90000-0x0000000002CA2000-memory.dmp

C:\Users\Public\IEYunioBox\zlib1.dll

MD5 6791dcad6284684082033063c2cd7e72
SHA1 4fd11e7eb298d2cb18d1f8e74536e4a58c1cd0b7
SHA256 202af400d7840830bc7182cf31d4f54ddd0023ed109c5f810495293aec9197ce
SHA512 79a5b58cbaea1c6004b5075e2df9b284ca9a32627da677078a896a659c34c65204bf43f70aeb4ef05601573c4b4190113c550e1ae1c3c0489cca73a621a67bd3

C:\Users\Public\IEYunioBox\libeay32.dll

MD5 2c74bd6ad79127ecfcfacd7e58d3655f
SHA1 ea0f46f4c95fdf59985d0cea2abbc5fb04ea00e2
SHA256 6990521aac3227e5970db05213b0fdbbb174eb5c1788cb7b033cd4043ba45644
SHA512 b8b72d103cac0847e7308ad1a6967b7922e4185e3455975b84d8c07fee1197ffa029d977364cdabdbd7151617af583c0f10019fe459af426999cccf15cb5a1ae

memory/4184-52-0x0000000073960000-0x0000000073BA2000-memory.dmp

memory/4184-54-0x00000000013C0000-0x00000000014A9000-memory.dmp

C:\Users\Public\IEYunioBox\ssleay32.dll

MD5 9f3fb0fff13d3c141873d4823de5d268
SHA1 c5a016155aff9cd8cf0880e3060e3dcacf016ddc
SHA256 6957303f95a67754885fb1301d9064c708d675dac0ed454886f5ed4c82be77d6
SHA512 98a8114ef6a4eab29d1389508d17486ae605b92ca468c5feaf42c5357edafdba6d8003290bc9084dd0ab51793cff6eaccb9685f3d5aefb4ed1e4bfc07765d1a6

C:\Users\Public\IEYunioBox\libcurl.dll

MD5 e8319c3c86be7fed599327578849b140
SHA1 e0654dfaf44d2b96f37c62f6cc316247d9d6b28a
SHA256 19d9f4613bcc6793cf209f09a1c8b72ac6ce6f1c0af75081f8b357d157971a5a
SHA512 1fd299e9601b2287650800611f6d95dfe1d88f8b441e2b7244a851685f5a74173c23c2558a50e9e7e9d6b0249b53e83e4ac9dbf0c1fe1d356fdfb67cfe056127

memory/4184-40-0x0000000002D50000-0x0000000002DA5000-memory.dmp

memory/4184-56-0x0000000000400000-0x0000000000DDD000-memory.dmp

C:\Users\Public\IEYunioBox\poqexec.log

MD5 bddeb003252646b091b0e39a3250a238
SHA1 b95ce3f576fe9feecba8cf0cff5a692bb11f1566
SHA256 8b54c3fed46a2ff3eb5356a54fb361d4601a465a46044330d542c8418cba4d02
SHA512 ef092c724f47f756f4b1ebdad6103a8e5b268042501793f61d6a6c1ff46bde9fc90d4ed758451888e6614d96d8dcef2f858865fd2f840e470d94304fdedefdc4

C:\Users\Public\IEYunioBox\task.dat

MD5 773f06fc4ba1a140a9b4ad2985a4de0c
SHA1 f9c46bc32bab3f501b113f6f5a0d286243aa9796
SHA256 67de6e9fedd0ff80e05f52ee2d2540e5f0d9461a6d1a171f1ba9b97ba6b695bc
SHA512 c2bc9cb8940e0bfc4d344ea387400c79bb502697955a1f8c27f6618cf294283d1bb9f895e9c8e2b7dae20d8d46821b55e95d65a59060853be77c84b06480d5df

memory/4184-59-0x0000000003A90000-0x0000000003B26000-memory.dmp

memory/4184-65-0x00000000033B0000-0x000000000342B000-memory.dmp

C:\Users\Public\IEYunioBox\IEYunioBox.dat

MD5 188b4929590e2c69088b7522e480dce7
SHA1 ab9b186eaf3b50840c3bc269dd1d611c055f16b3
SHA256 2bc78d8fae7e776ef60779f8546126f9bce6aa0d7016d32000725cc4ea31e4cf
SHA512 af13c22cad62f981629c95b1ccfd1fce4bd28fbc05f97c22891fb5f547981270e791e61a6406b4164adee5fdd4b7354a13b2415c25f5f94f6febcd59ab2b89f3

memory/4184-82-0x0000000002D50000-0x0000000002DA5000-memory.dmp

memory/4184-84-0x000000006E400000-0x000000006E461000-memory.dmp

memory/4184-85-0x0000000063000000-0x00000000631A9000-memory.dmp

memory/4184-83-0x000000006B240000-0x000000006B2A8000-memory.dmp

memory/4184-86-0x0000000000400000-0x0000000000DDD000-memory.dmp

memory/4184-87-0x0000000073960000-0x0000000073BA2000-memory.dmp

memory/4184-92-0x00000000013C0000-0x00000000014A9000-memory.dmp